Description
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Published: 2026-05-20
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Multiple flaws within the BIND 9 DNS server allow attackers to craft DNS messages whose CLASS is not Internet (IN) – for example, CHAOS or HESIOD – or that use meta-classes such as ANY or NONE in the question section. When such requests reach the affected code paths, including recursive queries, dynamic updates, zone change notifications, or processing of IN-specific record types in non-IN data, assertion failures are triggered. These failures can crash the server process, potentially leading to service unavailability for clients that rely on DNS resolution. The weaknesses involve improper bounds checking (CWE-125), unsafe input handling (CWE-20), and improper control flow (CWE-617, CWE-754, CWE-843).

Affected Systems

ISC BIND 9 is affected. The vulnerability applies to BIND 9 releases from 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, as well as the corresponding security‑patch releases 9.11.3‑S1 through 9.16.50‑S1, 9.18.11‑S1 through 9.18.48‑S1, and 9.20.9‑S1 through 9.20.22‑S1.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Because the EPSS score is not available, the current likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. Attackers can potentially leverage open DNS resolvers to send malicious queries, exploiting the flaw over the network. While the outage is limited to the affected server, a compromised DNS service can disrupt all downstream applications that depend on it.

Generated by OpenCVE AI on May 20, 2026 at 14:36 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Vendor Workaround

Don't configure zones other than Internet (`IN`) class. Furthermore, do not expose the server that allows DNS Dynamic Update to the general Internet.

OpenCVE Recommended Actions

  • Upgrade to a patched release such as BIND 9 9.18.49, 9.20.23, or 9.21.22 (or their security‑patch variants).
  • Reconfigure BIND so that only the Internet (IN) class is used for zones; avoid configuring zones with other CLASS values.
  • If DNS dynamic update is required, restrict the service to trusted hosts or disable it entirely and ensure it is not exposed to the public Internet.

Generated by OpenCVE AI on May 20, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6285-1 bind9 security update
History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Isc bind 9
Vendors & Products Isc bind 9

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Title Invalid handling of CLASS != IN
First Time appeared Isc
Isc bind
Weaknesses CWE-125
CWE-20
CWE-617
CWE-754
CWE-843
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Isc Bind Bind 9
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-05-20T13:40:20.966Z

Reserved: 2026-04-09T06:40:07.319Z

Link: CVE-2026-5946

cve-icon Vulnrichment

Updated: 2026-05-20T13:40:09.915Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T13:16:40.157

Modified: 2026-05-20T14:04:57.320

Link: CVE-2026-5946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T14:45:32Z

Weaknesses